North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Yahoogroups and Carnivore

  • From: Len Sassaman
  • Date: Mon Sep 17 17:39:57 2001

On Mon, 17 Sep 2001, Patrick W. Gilmore wrote:

> My understanding is that it is no inline, it uses a "monitor port" on a
> switch which duplicates all traffic.
> If that is the case, then it is not a silly statement, it is factually
> correct.
> Can anyone confirm or deny the above?

You are correct, Patrick. Carnivore is a passive network monitor, and
passive attacks are undetectable. The only way a DCS1000 system would
interrupt your network would be if it were improperly installed. (The FBI
agent unplugs something he shouldn't, or decides to change your network
layout to get everything flowing past his Carnivore box.

At NANOG 20, the FBI demonstrated Carnivore to the attendees. One of those
attendees was kind enough to write a report and anonymously publish it.

It's basically a sniffer with some really nice filtering and
post-processing. By filtering, I mean filtering of the data logged, not of
the data flowing through the network.